Some businesses may leverage a security concept of "least permissions","least privileged user" or "least privilege model". In that case, the use of Domain Administrator accounts may not be desirable.
This article defines the least amount of Active Directory (AD) domain permissions an AD user needs on an Organizational Unit (OU) or Computers container to successfully join a vCenter Server appliance in to an AD domain.
Symptoms:
- Joining vCenter Server Appliance or ESXi host into the Active Directory domain fails.
- You see the error :
LW_ERROR_LDAP_CONSTRAINT_VIOLATION or LW_ERROR_LDAP_INSUFFICIENT_ACCESS
- Running the command "/opt/likewise/bin/domainjoin-cli join [domain] [user name] [password]" to join domain with restricted user account fails with error:
Error LW_ERROR_LDAP_CONSTRAINT_VIOLATION [code 0x00009d7b] OR LW_ERROR_LDAP_INSUFFICIENT_ACCESS [code 0x00009d8b]